[pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Hi all,

I'm having some confusion with my OPT1 interface. I've found quite a few
questions around OPT1 routing, with various solutions too, however none
of them seem to be applicable to me. I may be misunderstanding something
basic, so please bear with me.

I had pfSense inside KVM, with two virtual NICs, each connected to their
corresponding physical NIC. One physical NIC goes to a LAN switch, and
the other to a second switch, into which is plugged a DSL modem. I have
another KVM host plugged into the same switches. It also runs this VM,
and I can migrate back and forth without issue. There's still a single
point of failure in each of the switches, and another in the modem, but
this is good enough for my needs so that I may patch hosts independently
etc. Internet access continues during the migration from host A to host
B and vice versa.

I've added a third NIC, (eth2 on the KVM hosts), added a bridge in the
same way as the others (VMBR2), and presented this to the pfSense VM as
a third NIC. I've added this as OPT1, given it an address in the form
192.168.yyy.1 (the address on the LAN interface is 192.168.xxx.1). I've
connected these two new physical NICs to a separate switch, in the same
manner as the others. Therefore one physical host has three NICs each in
a separate switch.

I intend to mirror the functionality of the LAN in OPT1; just having an
extra range of addresses to use. For now I'd like LAN machines to be
able to contact OPT1 machines and vice-versa.

So the LAN interface still has this rule:
IPv4 *  LAN net *   *   *   *   none

And I've added this one to OPT1, just like the OpenVPN interface has:
IPv4 *  *   *   *   *   *   none

I have a machine plugged into the new switch, 192.168.yyy.60
From an address in 192.168.xxx.0, I can ping 192.168.xxx.1 and
192.168.yyy.1, but *not* 192.168.yyy.60 (destination host unreachable)

On the OPT1 rule, I have Log packets that are handled by this rule
ticked. Status -- System Logs -- Firewall doesn't contain anything at
all for the OPT1 interface. The packet RRD graph for the OPT1 interface
shows a lot of in-block which I don't understand given how relaxed the
rules are.

One odd thing I've noticed is:
The VM has three MAC addresses; one for LAN, one for WAN and one for
OPT1. Inside pfSense's Status -- Interface, they appear as:
WAN interface (PPPOE1) - 00:00:00:00:00:00  there is no WAN
interface and I don't understand this bit, but fair enough
LAN interface - has the VM's LAN MAC address, as you might expect.
OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

I did correct the MAC address for OPT1, only for it to break my internet
temporarily which a VM restart then fixed. This still hasn't resolved
the routing.

Any help is appreciated. If the issue is due to my virtualised setup,
I'd be interested to know why the LAN/WAN routing works fine the way it
is.

I'm on 32 bit 2.1.4

Many thanks,
Chris
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
 OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list. 

Then reboot.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Oh that's odd, they were mixed-up on the console screen and on the
option to reassign interfaces. 

I'd expect em0 em1 and em2 to be enumerated same order as the virtual
interfaces presented to the VM, but when reassigning, they were like
this:

em0 first MAC address   (up)
em1 third MAC address   (up)-- shouldn't that be the second
MAC address?
em2 third MAC address   (down)  -- correct MAC address, but
surely that should be 'up'?

I chose interfaces again anyhow (WAN -- em1, LAN -- em0 and OPT1 --
em2). After one restart my internet access disappeared, but reassigning
via the UI WAN -- PPPOE1 did the trick. 

After one restart it's still working.

Many thanks, I'll remember that one in future!

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 14:18
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

 OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list. 

Then reboot.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
em1 third MAC address (up) -- shouldn't that be the second MAC address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Just one more issue now which has me puzzled and I'm hoping someone has
some ideas? It appears to be working for some hosts but not others?

I have a machine 192.168.yyy.60, which I can ping  SSH to from the
192.168.xxx.0 network.
I have a machine 192.168.yyy.40, which listens on port 80. I can access
HTTP from the 192.168.xxx.0 network, but I can't SSH or ping it.
I *can* SSH from 192.168.yyy.60 to 192.168.yyy.40, so it is up.
I can ping 192.168.yyy.40 from the OPT1 interface; that's fine. 
As soon as I try to ping from the LAN interface, 100% packet loss.
Yet try to do the same with 192.168.yyy.60, it's fine.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 16:29
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread Chris Murray
Oh I've got it: lack of default route on 192.168.yyy.40

Just how HTTP was working is still a mystery though.

Apologies for the noise!

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 21:08
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

Just one more issue now which has me puzzled and I'm hoping someone has
some ideas? It appears to be working for some hosts but not others?

I have a machine 192.168.yyy.60, which I can ping  SSH to from the
192.168.xxx.0 network.
I have a machine 192.168.yyy.40, which listens on port 80. I can access
HTTP from the 192.168.xxx.0 network, but I can't SSH or ping it.
I *can* SSH from 192.168.yyy.60 to 192.168.yyy.40, so it is up.
I can ping 192.168.yyy.40 from the OPT1 interface; that's fine. 
As soon as I try to ping from the LAN interface, 100% packet loss.
Yet try to do the same with 192.168.yyy.60, it's fine.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
Murray
Sent: 10 August 2014 16:29
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] Another OPT1 routing question

They don't now, but the process of reassignment suggested that they did,
and that one of them was down. i.e. the Valid interfaces are: list
wasn't right. It's now correct though, thanks for that.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc
Sent: 10 August 2014 15:21
To: 'pfSense Support and Discussion Mailing List'
Subject: Re: [pfSense] Another OPT1 routing question

em1 third MAC address (up) -- shouldn't that be the second MAC
address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8010 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

-
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4744 / Virus Database: 4007/8012 - Release Date:
08/10/14
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list